-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistency: Default content_security_policy
#98
Comments
The documentation that you've linked for Chrome is specific to Chrome apps, and the source code confirms that this is Chrome app-specific: https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc;l=44;drc=2d18bf1fec6017d20ced5b6110fdbfc8a342ebb5 Extensions have a default CSP similar to Firefox: https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/manifest_handlers/csp_info.cc;l=33;drc=ce6c3b02c5cc847a3febdef23416e1ae7feaa9f9 |
Linking this specific Chromium bug related to WASM support and the extension specific |
Chrome has landed a patch that changed the default CSP to Firefox is about to support I have filed two follow-up bugs to work towards the resolution of the differences:
P.S. As noted in the Chromium report, there is not that much point in requiring |
Hi folks! We're looking into this (Extension CSP) on the Chrome side to address a number of outstanding issues we have. I'd like to see if we can align with other browser vendors where possible. I've written up a doc with a proposal here: (World-viewable, feel free to request comment access.) Please let us know what you think. |
@rdcronin Thanks so much! Good to see this! Can you grant comment access? (As far as I know requesting comment access directly in Google Docs is not possible at this moment) |
We've had issues in the past with various spam when opening up comments to anyone on the web with the link — for anyone who wants access, go ahead and request edit access and I'll grant comment access to the email address from the request. (Separately, @dotproto , can we create a WECG Google Group so that we can easily share docs with that alias?) |
@rdcronin, I started looking into this. I've created a Google Group, but I think I will need W3C assistance to populate and maintain the group's members. Reaching out now. |
I've seen (and responded to) Rob's comments on the doc; does anyone else have concerns with the proposed approach? |
The proposal document focus on PS: I see @dotproto created a google group and I am in it, but I don't see I have comment permission in that document. |
I suppose that you are wondering why the document only mentions In case it wasn't clear: the browser uses CSP in extensions to restrict remote code execution. In MV1 there were no restrictions. In MV2 insecure scripts (http:) were blocked, and remote code from eval and https were allowed via an opt-in, to protect the extension against XSS. In MV3 all remote scripts are blocked, no exceptions, to protect the user from unverified code. Other CSP directives ( |
Ok. So there aren't any other CSP restrictions other than remote script and (proposed) |
Mostly correct. The minimum CSP is what would enforce the CSP restrictions, and is proposed to be:
This restricts scripts to the extension origin and localhost, allows wasm to be used, and restricts object-src to The upgrade-insecure-requests change would not be a restriction, per se, but rather a default (which could then be overridden by the extension). |
Hi folks! I think the only outstanding question here is one that Rob raised in the doc about whether allowing localhost / 127.0.0.1 as a script source should only be allowed for unpacked extensions. Since the main purpose here is development, the idea is that this would be sufficient to allow folks to use these locally-hosted scripts during the development process, while avoiding opening up any security concerns for packed extensions. Our question is whether this would be sufficient for localhost use cases or if this would still break a number of important flows. Does anyone have concrete examples of issues that would arise if we only allow localhost for unpacked extensions? |
I agree with Rob, there is generally no need to load localhost scripts in extension pages. Could you scan localhost CSP in Web store extensions? (only browser vendors can do it) |
We could scan it in the webstore, but if the propose in the comment above is reasonable, we can restrict it at the platform level, as well. Since there haven't been any objects to this here, we'll proceed with that approach. We can relax it if necessary in the future. |
@Rob--W , I'm going to tentatively move forward with the changes to sandboxed page CSP and allowing localhost in unpacked extensions, if there are no further concerns here. |
Sounds good to me. The proposed minimum CSP (base CSP is the terminology used in Firefox) an default CSP look good. Other questions that I had are already noted in the document as follow-ups, so I see no blockers against proceeding as is. One thing that I didn't mention before - the proposal currently lists If you want to block plugins in extensions, then a platform-level way to block it independent of CSP can help with keeping the (minimum) CSP concise. I noted that in the last sentence at #204. |
@rdcronin Thanks for writing up the document!
As in between option we can consider a warning instead of an error. This would give more freedom in future changes regarding the minimum extension CSP and allows browsers and browser versions to differ with their minimum extension CSP.
This would be very welcome for the overall web platform itself. Being able to see which of the potentially many CSPs set triggered a certain CSP error is very helpful in debugging CSP issues. |
Allow remote sources in manifest V3 extension sandboxed pages. Add browsertests for the same. This is discussed in more detail at w3c/webextensions#98. Bug: 770271 Change-Id: Ibd0f24a2fda69bf8bfc1027c3ebe1e688afe2f20 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3969158 Reviewed-by: David Bertoni <dbertoni@chromium.org> Commit-Queue: Devlin Cronin <rdevlin.cronin@chromium.org> Cr-Commit-Position: refs/heads/main@{#1083512}
(I'm preparing a slide about Extension MV3) Edit: add Firefox's CSP Let me summarize the current state. By default, if there is no explicit declaration of CSP, it is:
The minimum CSP (maximum allowable CSP by developers) is:
|
In Firefox, MV3's default CSP is In Firefox, localhost cannot be allowlisted. Chrome intentionally supports localhost in the CSP in unpacked extensions only. Firefox doesn't restrict |
On Firefox's end, we decided that we are willing to support localhost/127.0.0.1 scripts in temporarily loaded MV3 extensions (was already supported in MV2). Follow https://bugzilla.mozilla.org/show_bug.cgi?id=1864284 for progress. |
@rdcronin Chrome has a |
Background
Currently no good documentation is present on what the default
content_security_policy
is for every context (extension_pages
,content_scripts
andsandbox
). This is a must when composing a custom CSP, especially when default-src is not set.Firefox documentation gives:
script-src 'self'; object-src 'self';
See: MDN Docs
Chrome documentation gives:
default-src 'self'; connect-src * data: blob: filesystem:; style-src 'self' data: 'unsafe-inline'; img-src 'self' data:; frame-src 'self' data:; font-src 'self' data:; media-src * data: blob: filesystem:;
See: Chrome Docs. However, this seems to only apply to the legacy Chrome Apps.
Also no info is present on what the default is in MV3 or if it differs from MV2.
Action items
Proposals
default-src
in custom CSP could be proposed.See also:
content_security_policy
browser restrictions #99The text was updated successfully, but these errors were encountered: